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In all existing protocols of private communication with en- 
cryption and decryption, the pre-shared key can be used for 
only one time. We give a deterministic quantum key expan- 
sion protocol where the pre-shared key can be recycled. Our 
protocol costs less qubits and almost zero classical communi- 
cation. Since the bit values of the expanded key is determin- 
istic, this protocol can also be used for direct communication. 
Our protocol includes the authentication steps therefore we 
don't worry about the case that Alice and Bob are completely 
isolated. 



I. INTRODUCTION 

Information processing with quantum systems enables 
us to do novel tasks which seem to be impossible with 
its classical counterpart [1-3]. Among all of the non- 
trivial quantum algorithms, quantum key distribution 
(QKD) [3-9] is one of the most important and interest- 
ing quantum information processing due to its relative 
low technical overhead: the only thing required there 
is quantum states preparing, transmission and measure- 
ment. It needs neither quantum memory nor collective 
quantum operation such as the controUed-NOT (CNOT) 
gate. Therefore, QKD will be the first practical quan- 
tum information processor [8]. QKD makes it possible 
for two remote parties, Alice and Bob to make uncon- 
ditionally secure communications: they first build up a 
secure shared key and then use this key as the one-time- 
pad to send the private message. However, in the stan- 
dard BB84 [3] protocol, at least half of the transmitted 
qubits are discarded due to the mismatch of preparation 
bases and measurement bases to the qubits. Also, the 
standard BB84 protocol does not include authentication. 
This makes it insecure in the case that Alice and Bob arc 
completely isolated: Eavesdropper (Eve) may intercept 
all classical information and quantum information and 
the actual case there is that each of Alice and Bob are 
doing QKD with Eve separately. 

In this Letter, we shall give an efficient protocol to ex- 
pand the key deterministically or make direct communi- 
cation, with authentication being included. Our protocol 
has the advantage of lower cost in both classical commu- 
nication and quantum states transmission. Our protocol 
includes the authentication steps. The pre-shared key 
can be recycled in our protocol. 



The requirement of pre-sharing a secret string is not a 
serious drawback of our protocol. In the case authenti- 
cation is required for security, all protocols need a pre- 
shared secret string; in the case that authentication is 
thought to be unnecessary, our protocol need not pre- 
share anything initially: they may first use any standard 
QKD protocol to generate a secret random string and 
then use this string as the pre-shared string. 

The the initial version of QKD protocol [3] proposed 
by Bennett and Brassard is fully efficient by delaying the 
measurement. This delay requires the quantum memo- 
ries which are very difficult technique. Another method 
is to assign significantly different probabilities to the dif- 
ferent bases [10]. Although unconditional security of the 
scheme is given [10], it has a disadvantage that a larger 
number of key must be generated at one time. Roughly 
speaking, with the bases mismatch rate being set to e, 
the number of qubits it needs to generate at one time 
is e^^ times of that of the standard BB84 [3]. In a re- 
cently proposed QKD protocol without public announce- 
ment of basis (PAB) [11,12], there is no measurement 
mismatch. However, the protocol in its present form has 
the disadvantage that one must make many batches of 
keys before any batch is used to encrypt and transmit 
classical message. Note that they must abort the pre- 
shared secret string after the key expansion. To really 
have an advantage in the efficiency, one should generate 
as many secret bits as possible at one time, by that proto- 
col. Blindly generating too many secret bits at one time 
means a higher cost: First, the complexity of decoding 
the error correction code rises rapidly with the size of 
the code. Second, the quantum channel could be expen- 
sive. In practice, it could be the case that we don't know 
how many secret bits are needed in the future commu- 
nication. For example, a detective is sent to his enemy 
country Duba from the country VSA. He is scheduled to 
work in Duba for only one month and then come back to 
the headquarter in VSA. The so called secret bits will be 
useless after that month. 

The existing protocols for quantum direct communi- 
cation can save some cost of classical communications. 
Unfortunately, they are either insecure [18-20] or only 
quasisecure [21]. Moreover, all of them require quantum 
memory. 

So far, it seems that our protocol is the unique one 
which has the advantage of lower cost of both quantum 
states transmission and classical communication while 
still holding the unconditional security. 
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II. OUR PROTOCOLS AND SECURITY PROOF 

We shall use the reduction technique. We first re- 
duce the classical protocol to quantum protocol (the one 
uses perfect entangled pairs and quantum memories) , and 
then reduce the quantum protocol back to classical pro- 
tocol (the one without any entangled pair or quantum 
memory). We start with a trivial scheme, Protocol 1. 
Protocol 1, Classical protocol 

Alice and Bob share a secret key, i.e., 5-bit random string, 
G. Alice wants to send an A?'-bit classical binary string s 
to Bob, g > N . She chooses first N bits from G and de- 
notes this substring as h. She prepares an A'^-qubit string 
q which is in the quantum state |6 ® s), and sends these 
TV qubits to Bob. Here ® is the summation modulo 2. 
Suppose the values of the zth element in string h and s are 
bi and Sj, respectively, given any value of hi®Si, she just 
prepares the ith quantum state \bi © .s;) accordingly. All 
qubit states in q are prepared in Z basis. Bob measures 
each of qubits in Z basis and obtain an A^— bit classical 
string, taking operation of this string and string h he 
obtains the message string. Alice and Bob discards string 
b. 

This is just classical private communication with one- 
time-pad. Obviously, the message string s is perfectly 
secure no matter how noisy the quantum channel is. 
Though there are bit-flip errors in to the transmitted 
message, there is no information leakage. In this proto- 
col, the one-time-pad cannot be recycled. Since all qubits 
are prepared in Z basis. Eve in principle can have full in- 
formation of 6 ® s without disturbing the quantum string 
q at all. For the purpose of recycling the one-time-pad, 
we reduce it to our Protocol 2, a quantum protocol. Lat- 
ter on, we shall classicalize Protocol 2. 
Protocol 2: Secure communication with recyclable quan- 
tum one-time-pad. 

Alice and Bob share g pairs of (exponentially) perfect en- 
tangled pairs of = -^(100) -|- |11)). For convenience 
we shall call this pair state as EPR pair. Alice wants 
to send iV-bit classical binary string s to Bob. Accord- 
ing to each individual bit information, she prepares an 
A/'— qubit quantum state all of them being prepared 
in Z basis. She chooses her halves of first N pairs from 
g pairs and number them from 1 to N . We denote these 
N pairs by Alice's halves of E by Ea, Bob's halves of 
E as Eb- To each of the ith qubit in \s) and ith qubit in 
Ea, she takes CNOT operation with the ith qubit in Ea 
being the controlled qubit and the zth qubit in \s) as the 
target qubit. i runs from 1 to N. She sends those N tar- 
get qubits to Bob. Bob takes a CNOT operation to each 
of the ith received qubit and the ith qubit of Eb^ with 
the received qubit being the target qubit and the qubit in 
Eb being controlled qubit. Bob takes a measurement in 
Z basis to each of the target qubit and obtain a classical 
string. He uses this string as the message from Alice. 
The message s in this protocol is as secure as that in 
Protocol 1. 



Proof. Imagine the case that Alice measures each qubits 
in Ea in Z basis in the beginning, then protocol 2 is 
identical to Protocol 1. However, no one except Alice 
knows whether she has taken the measurement. There- 
fore she can choose not to measure her halves of entan- 
gled pairs. This is just Protocol 2. In Protocol 2, N EPR 
pairs have been used as a quantum shared key, however, 
we don't have to discard them after the message s has 
been decrypted. Instead, Alice and Bob may do purifi- 
cation to those N pairs, given the information of bit-flip 
rate and phase-flip rate. After the purification, the out- 
come pairs can be rc-uscd as (almost) perfect entangled 
pairs. So the next question is on how to do the pu- 
rification efficiently. The bit-flip rate is deflned as the 
percentage of pairs which have been changed into state 
= TfdOl) + |10)) or state IV") = ^(|01) - |10)); 
phase-flip rate is defined as the percentage of pairs which 
have been changed into state \(f)~) = "^(|00) ^ |11)) or 
state |^~). Or mathematically, if we consider the Pauli 
channel consisting of the following operations: 

'^x = {-^ Q),cry = { . = -1 ^' 

the channel operation ax or ay causes a bit-flip, the chan- 
nel operation ay or cr^ will cause a phase-flip. One direct 
way to know the bit-flip rate and phase-flip rate is to let 
Alice and Bob randomly take some samples of those pairs 
and then measure the samples in Z ( {|0), |l)})or in X 
( {|±) = |(|0) ± |l)}))basis in each side, and obtain the 
statistical values of those flip rates for the remained pairs. 
However, in testing the phase-flip rates with samples of 
those used EPR pairs, the corresponding message bits 
must be discarded because once the bit values of EPR 
pairs are announced. Eve has a way to attack encrypted 
message bits. Moreover, we want to reduce the proto- 
col back to classical protocol therefore we don't directly 
sample the entangled pairs. We can have a better way for 
the error test. Consider the initial state of an entangled 
pair and the the quantum state of message bit |xa), 

IM = ®Ixa). (2) 

In the most general case \xa) = a|0) + and \a\^ + 
= 1. In our protocol 2, there wiU be Alice's CNOT 
operation, transmission and Bob's CNOT operation to 
the message qubit. In transmission, the encrypted quan- 
tum state of message bit could bear a flipping error of 
ax-,az or ay. It is easy to see that, after Bob's CNOT 
operation, a-x error of transmission channel will cause a 
ax error to the the message qubit only, az error of trans- 
mission channel will cause a a^ error to the EPR pair and 
(T2 error to the message qubit, while ay error of transmis- 
sion channel will cause a Uz error to the EPR pair and a 
ay error to the message qubit. That is to say, the final 
state will be 

\hf) = \<t>+)(^{ax\XA)) (3) 
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given a flip to the encrypted message qubit in trans- 
mission; 



\hf) = {cj,\4>-^))®{'jAXA)). 



(4) 



given a cr^ flip to the encrypted qubit in transmission; 

and 



IM = (^.I<^+))®KIxa)) 



(5) 



given a ay flip to the encrypted qubit in transmission. 
We now show eq.(4). The other two equations can be 
shown in a similar way. Consider the initial state defined 
by eq. (2) . After the CNOT operation done by Alice, the 
state is changed to 

= ^|00) ® \xa) + ^|11) + m)- (6) 

Suppose there is a phase-flip to the encrypted qubit dur- 
ing the transmission, the total state is then changed to 

K) = ^|00) ® (a|0) - + -i=|ll) ® (-a|l) +/3|0)). 

After Bob take the CNOT operation, the final state is 

changed to 



\hf) = |(/)-) «) \xa) = ((7^10+)) ® {(Tz\xa)). 



(8) 



This completes the proof. Although there could be phase- 
flips to the transmitted qubits, as we have shown already, 
in principle, there is no information leakage of the orig- 
inal message. Thrcfore we disregard those phase-flips to 
the message qubits. Note that the model of Pauli chan- 
nel and classical statistics work perfectly here [13-15], 
given arbitrary channel noise, including any type of col- 
lective noise. Therefore if we know the bit-flip rate and 
phase-flip rate of the channel, we can deduce exactly the 
flipping rate of those used EPR pairs. Therefore we can 
simply mix some of qubits (test qubits) in transmitting 
the message qubits. We don't do any CNOT operations 
(quantum encryption or decryption) to those test qubits. 
Half of the test qubits should be prepared in X basis 
and half of the test qubits should be prepared in Z ba- 
sis. All of the test qubits should be mixed randomly 
with the message qubits. Bob needs to know the mea- 
surement bases of each qubits so as not to destroy any 
message qubits. Bob also needs to know which qubits are 
for testing and the original state of each test qubits so as 
to see the flip-rates of transmission. Therefore, besides 
N EPR pairs, they must also share a classical string b' 
for the information of bases, positions and bit values of 
each test qubits. Suppose after reading the test qubits. 
Bob flnds the error rate to those test qubits in X bases is 
to. Then they may safely assume (to + S)N phase-flips to 
the used EPR pair. (5 is a very small number. The prob- 
ability that the phase-flip rate of those used EPR pairs 
is larger than -|- ^ is exponentially small. As we have 



shown earlier, there is not bit-flip error to the used en- 
tangled pairs. Therefore they may purify the used pairs 
by the standard purification protocol [13,16] which costs 
only N-H{to+S) pairs, H{x) = — a;log2 a:— (1— x) log2(a;). 

Since their purpose is to re-use those pairs securely for 
private communication in the future instead of really re- 
producing the perfect EPR pairs, they need not really 
complete the full procedure of the purification. Instead, 
as it has been shown in Rcf [13], except Alice herself, no 
one knows it if she measures all EPR pairs in Z bases in 
the begining of the protocol. Therefore the CSS code can 
be classicalized [13] if the purpose is for security of pri- 
vate communication instead of the real entanglement pu- 
rification . Consequently, the initially shared EPR pairs 
before running the protocol can be replaced by a classi- 
cal random string and after they run the protocol they 
recycle the random string by a classical Hamming code 
with the phase-error rate input being to + Protocol 3 
can help them to do quantum key expansion efficiently, 
without any quantum memory or entanglement resource: 
1. Alice and Bob pre-share a secret classical random 
/String G. They are sure that the bit-flip rate and phase- 
flip rate of the physical channel are less than tx — S 
and tz — S, respectively. (In quantum cryptography, the 
knowledge of flipping rates of physical channel does not 
guarantee the security in any sense.) They choose two 
Hamming code Cx and Cz which can correct {tx + 5)M 
bits and {t^ + 5)M bits of error, respectively. We sup- 
pose tx + 5 < 11% and t^ + 5 < 11%. 2. Alice plans 
to send N deterministic bits, string s to Bob. Alice and 
Bob take an M— bit substring 6, an M'— bit substring 6', 
a 200-bit substring c and a 200-bit substring d from G, 
from left to right. Here M = j^r^ji^- 3. Alice expands 
the message string s to S by Hamming code Cx- Obvi- 
ously, there are M bits in the expanded string S. She 
encrypts the expanded string S with string 6, i.e., she 
prepares an M— qubit quantum state \Sq) = \S ®b) in 
Z basis. All these encrypted message qubits are placed 
in order. She also produces rN = 2k test qubits and 
mix them with those qubits in \Sq). The position, bit 
value and preparation basis of each test qubits are de- 
termined by substring b' . This requires substring b' in- 
cluding M' == ^ ^2fc^^ ^ +4^ bits. The bit values (0 

or 1), position and bases {X or Z) of those test qubits 
must be totally random, since b' is random. After the 
mixing, she has a quantum sequence q which contains 
M + 2k qubits. 4. Alice transmits sequence q to Bob. 
5. Bob reads b'. After receives sequence q from Alice, he 
measures each of them in the correct bases. He then sep- 
arates the test bits and message bits, with their original 
positions in each string being recovered. Bob reads the 
test bits and check the error rate (authentication). If he 
flnds the bit-flip rate txo > t ov phase-flip rate tzo > t on 
the test bits, he sends substring c®c? to Alice by classical 
communication and abort the protocol with string c be- 
ing deleted from G. If he finds the bit-fiip rate txo < t and 
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phase-flip rate t^o < t on the test bits, he sends substring 
c to AUce by classical communication and continues the 
protocol. 6. Bob deletes c from G. He decrypts the en- 
crypted expanded message string by b and then decodes 
it by Hamming code Cx and obtains the message string. 
The probability that Bob's decoded string is not identical 
to the original message string s is exponentially close to 
0. The key expansion part (or communication part) has 
been completed now. 7. Alice reads the 200-bit classical 
message from Bob. If it is not c, she aborts the protocol 
with string c being deleted from G.(This is also authen- 
tication.) If it is c, she deletes substring c from G and 
carries out the next step. 8. Alice and Bob replace b by 
the coset of 6 + Cz as the recycled string. 
Remark 1. Our cost of qubit- transmission is less than half 
of that in BB84 protocol. Our cost of classical commu- 
nication is almost zero. Remark 2. After the protocol, 
string b' and d can be re-used safely. In our protocol, 
even Alice announces 6', d, Eve's information about mes- 
sage s is 0. Therefore the mutual information between s 
and {b',d} is I{s : {b',d}) = 0. Therefore, if message s 
is announced while {&', rf} is not announced. Eve's infor- 
mation about {b' , rf} must be also 0. Consequently, Eve's 
information to {b' ,d\ must be zero after the protocol. 
Remark 3. If we want to reduce the number of prc-shared 
qubits, we can use fewer test bits, i.e., reduce the value 
of r. In our protocol, the total qubits needed is r~^ times 
of that of BB84 protocol. To avoid a too large key ex- 
pansion at one time, we can choose to raise the value of 
5, given a small r. 

III. EXISTING PROTOCOLS OF DIRECT 
COMMUNICATION WITH QUBITS ARE 
INSECURE. 

Our protocol cannot be replaced by any existing direct 
communication protocol [17-21] with quantum states. 
The insecurity of existing direct communication protocols 
have been pointed out already for the case of noisy chan- 
nel [18,19]. Here we show that these protocols are not ex- 
ponentially secure even with noiseless quantum channel. 
We suppose that there are m test qubits and N message 
qubits. Consider the best case that they find no error to 
the test bits. Even in such a case, the message is still 
polynomially insecure: Eve has non-negligible probabil- 
ity to obtain a few bits information to the message. For 
example. Eve just intercepts one qubit in transmission 
and measures it in Z basis ({|0), |1)}) and then resends 
it to Bob. Suppose the physical channel itself is noise- 
less. Obviously, There is a probability of N/{N + m) 
that Bob finds no error to the test bits while Eve has 
one bit information about the message. In particular, 
in certain cases, 1 bit leakage of message is disastrous 
[14]. Such type of direct private communication is inse- 
cure even with noiseless quant,um channel, since the zero 
error of test bits only guarantees less than 6 errors of 
the message bits, it does not guarantee zero phse-flip of 



the message bits. In principle, there is no way to ver- 
ify zero phase-flip error of the untested bits by looking at 
the test bits only. The insecurity of existing protocols is 
due to the lack of privacy amplification step, which is the 
main issue of the security of private communication. One 
cannot directly append a privacy amplification step here 
since this may change the message bits therefore destroy 
the message. One of the non-trivial point of our proto- 
col is that the transmitted message bits in our protocol is 
unconditionally secure without any privacy amplification, 
no matter how noisy the channel is. There we only need 
to correct the 6«t-flip errors in the message. This does 
not change the message itself. 

IV. DISCUSSIONS 

Otii protocol can obviously be used for both key expan- 
sion and direct communication. In the security proof, we 
have used a pre-condition that Eve has zero information 
to the preshared string G. However, strictly speaking, 
this condition does not hold in our real protocol. First, 
as we have argiied that the prc-shared string can be gen- 
erated by standard BB84 QKD protocol where Eve's in- 
formation to the shared key is exponentially close to 
instead of strict 0. Second, Eve's information to the re- 
cycled string is also exponentially close to rather than 0. 
Eve's exponentially small prior information is not a prob- 
lem to the security of classical private communication. 
However, here we have used quantum states to carry the 
classical message. Eve may store her quantum informa- 
tion about the pre-shared (or recycled) secret string and 
directly attacks the decoded message or the updated key 
finally. With the universality of quantum compossibility 
[22] , we know that Eve's a exponentially small amount of 
prior information about the pre-shared string or the recy- 
cled string will only cause an exponentially small amount 
of information about the private message or the updated 
shared string. Therefore our protocol is unconditionally 
secure in the r(^al case that Eve has exponentially small 
amount of information to the pre-shared key. 
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